In a forthcoming paper, a law professor argues that more passive forms of cyberdefenses, like firewalls and anti-virus software are not completely adequate when it comes to cyberattacks.

With the growing threat of cyberterrorism surrounding an always connected world, a new recommendation from a University of Illinois law professor encourages an active self-defense approach to keeping critical electronic infrastructures safe.

Professor Jay P. Kesan (pictured right) argues in a forthcoming issue of the Harvard Journal of Law and Technology that more passive forms of cyberdefenses, like firewalls and anti-virus software are not completely adequate, and instead calls for an active defense through "mitigative counterstriking" when it comes to cyberattacks.

"The threats from cyber-attacks are real, and the harm of a potential attack can be far greater than what we can currently combat," Kesan said.

Three-pronged approach

An active defense is a three-pronged approach to responding to a cyber-attack: detecting intrusions, tracing the attack back to the attacker and executing a counterstrike.

The counterstrike, Kesan writes, can either be retributive, meaning that the counterstrike punishes the attacker, or it can mitigate the damage to the victim’s electronic infrastructure.

While the technology is available to make such an active defense approach feasible, the legal status of the practices is less viable in current systems of law.

"The principles of mitigative counterstriking are legally justifiable under several areas of domestic and international law, and can be made consistent with other areas of law by amending or reinterpreting the law," Kesan said.

No legal recourse

According to the study, there is no domestic or international legal apparatus to prevent cyber-crimes, and the murky nature of cyber-jurisdiction along with the challenges of identifying an attacker make criminal prosecution difficult.

"Cyber-attacks are fundamentally different from crime," Kesan said.

"The person may be physically very far away from you, and you may not be able to use traditional legal remedies against that person, since civil and criminal remedies require jurisdiction over a person. In those circumstances, what do you do?"

Partnership needed?

Kesan suggests a private-public partnership agency that is government-affiliated, one that can provide private parties with the necessary technology and legal protections to carry out an active defense and counterstrikes.

Regardless of what governments decide, Kesan says that the time to finalize a policy is rapidly approaching.

"We rely on our online infrastructure for just about everything," he said. "That represents a good choke point, one that might be an attractive target for people who wish to do harm to us. If they were successful, it would have the potential to cause a great deal of economic hardship. That's why we need to be prepared before we are faced with the fallout from an attack."